The current implementation of the SCIONLab VM support allows only adding a new VM to designated SCIONLab ASes. As discussed with @jonghoonkwon and David Hausheer, the next step is to add the ability for SCIONLab users to:

• Update their VM configurations in case they have a new IP address. This means updating and serving their VM configuration tarball (already in place) on the coordination service and then have the relevant SCIONLab AS update the configuration of the counter part border router .
• Remove their VMs entirely from the system in case they do not wish to use it anymore. This means adding the necessary front-end and back-end support at the coordination service, and then having the relevant SCIONLab AS remove the counter part border router process from its local configuration.

In netsec-ethz/scion@69d6b03 the signature of go/lib/addr/isdas.go "IAFromString" function was changed to return a *common.Error. This breaks SCION Coord as it depends on that code.

There is a bug in run.sh where vagrant is reported to be installed when it is actually missing.
In addition, the script currently only supports mac os and ubuntu. Users of other linux distributions need to manually install vagrant and virtualbox.
It would be nice to automatize this for other distributions as well.

Currently we serve the whole VM package including the gen folder, vagrant configurations etc.

As discussed with David Hausheer and @perrig, it will be a useful extension for users to be able to download the pure gen folder for their SCION ASes, so that they can run their ASes directly on a dedicated machine, without the use of a VM. This implies that the UI for this feature should not only ask the user to specify his/her public IP address but also the local IP address (which is currently set statically via the Vagrant configuration file) inside their NAT.

The current implementation of our Vagrant configuration downloads a base Ubuntu 16.04 image and then installs and configures SCION at the setup phase.
As discussed with David Hausheer and @jonghoonkwon, it is possible to create an Ubuntu 16.04 image which already includes SCION installation and upload it to Vagrant repository (www.vagrantcloud.com).

This will reduce the required setup time of the VM on the user's side.

The function should receive the IP address, MAC address, source IP address from the SCION box via HTTPS. Compare IP address and source IP address to determine if box is behind a NAT. If the box is behind a NAT connect it to a SCIONLabserver similar to how a SCIONLabVM behind a Nat is connected.
Else the function uses IP geolocation and the user credentials to determine the boxes ISD. Then queries its database to find potential neighbors and sends them to the box.
Also we probably want a flag in the message that triggers a simplified call that either chooses neighbors for the box and then sends the gen folder or notifies the system admin to manually configure the box via ssh ( for the geneva box for example )

A nice-to-have feature for SCIONLab VM users would be to receive notification emails when their border router (on the SCIONLab AS to connect to) is activated, updated and removed.

When logging in to the SCION Coordination Service with either of the login fields being blank or the email field not being of the form username@host, the server panics with a "runtime error: invalid memory address or nil pointer dereference".

We need to store the current status of the services, which is reported by each installation.
At this stage we just keep it simple and do not store an history.

At the moment authentication, authorisation and XSRF token work.
We need however to review the code and investigate whether to use this library instead:
https://github.com/go-authboss/authboss
before going public.

As discussed with @chaehni and David Hausheer, it will be useful to have Captcha verification on the registration page of the SCIONLab Coordination Service.

Pre-requisite for opening up the SCIONLab Coordination Service to public.

Users should be able to download enhost configurations from the SCIONLab Coordination website.

Some of the terminology used in SCIONLab got more and more confusing over time.
As discussed with @ercanucan and others, we should do some refactoring and rename databases, variables, etc.
I propose the following naming conventions [NewName (OldName): Description]:

• AttachmentPoint (AP) (SCIONLabAS/SCIONLabServer): SCION ASes to which new ASes can be attached automatically
• SCIONLabAS (SCIONLabVM): ASes connected to APs that are set up and administered by users
• SCIONBox: Machines that are automatically managed through scion-coord and connected to APs;
  they can be APs themselves if the connection is good enough

Do you agree with these conventions or suggest different/additional ones?
Another question is what the relationship between SCIONLabASes and SCIONBoxes should be:
Is one a subset of the other or should they be separate concepts?

@pszalach and @kormat:

I put together the following document as the detailed API Design/Description of the SCION Coordination service:
https://docs.google.com/document/d/1YgnVoEpzUq9q2EsRg7mVdjX5FsS6NinZPizm9mIczC0/edit?usp=sharing

I would like to run these with you (preferably during Dev thing on Wednesday or a separate design meeting) and hopefully fix any issues you might think are relevant.

This database should store all ASes to which a new box can connect to. Along with information like number of neighbors, core, border router IP addresses and ISD. Stored ASes can be SCION boxes or native ASes or SCIONLab servers.
On the same topic ASes will be querying this Database to find out if a new AS wants to connect.

As discussed with @perrig, @hausheer and @mlegner, we would like to support multiple VMs per-user, with possibility to run them on the same host.

• The current implementation of scion-coord (DB, API, UI layers) assumes only one VM per user. This assumption must be relaxed.
• In order for the user to run multiple VMs on the same host, the Vagrant configuration generation also needs to be updated in terms of forwarded ports, VM names, etc.

Add an API endpoint implementing the other side of netsec-ethz/scion-box#3.
This will supercede #9.

I have the skeleton of the scion coordinator web app and REST api.
It contains a set of middleware for dealing with:

• Authentication
• Authorization
• XSRF token to use in combination with angularjs
• User sessions

In addition the boilerplate allows to have a config file.

Currently, users have to manually start the SCION infrastructure in their VM.
We should provide a systemd service that automatically starts the infrastructure when the VM is started.

As discussed with David (Hausheer), the simplified scion-web UI (netsec-ethz/scion-web#67) should query the currently deployed SCION version from scion-coord.
This way the single machine configuration can be simplified by one more step since the user does not have to choose which version to deploy.

As discussed with @perrig zookeeper should be removed from SCIONLab ASes which run only one instance of each service (i.e. SCIONLab VMs, SCION boxes)

This database will be used to store information about a Scion box. The status can be used to update the box when the box uses the heartbeat Api. This database also links the mac address of the box to the user.

Create a REST api for registering users.
The API should take care of gathering:

• Email
• Password
• First and last name
• Organization name

The API should also make at least a simple validation of those fields.
Finally during the registration process, once a user is successfully registered scion coordinator should generate a key and a secret.
To recap:

• Gather standard information for the user registration as listed above.
• Basic validation of the input fields.
• When successfully registered, generate a key and secret to be used to authenticate the API calls.

Currently, border routers in the designated SCIONLab ASes are running indefinitely for any created SCIONLab VM. As discussed with @perrig, for VMs that are not running, these BRs could be switched off and the VM set to an additional state "DORMANT" in order to safe resources.
An email could be sent to the users with instructions to reactivate the VM.

As discussed with @hausheer, a feature we would like to add is pre-approved, invitation-based registration (with a link the user can click on).

Coordination service should provide a page for the administrator to able to provide a new user's email address and organization. When the "Invite" button is clicked, the new user should receive an email with a link similar to: https://coord.scionproto.net/#/[email protected]&accountid=org

Pre-approved registrations do not need to go through email verification or Captcha.

Connection requests and replies should be signed and include a timestamp.

A "nice-to-have" feature in SCION Coordination Service would be the ability to visualize the entire topology of the testbed.

Each local scion-web instance would report their topology information (periodically) and scion-coord would combine this information to draw a visualization of the entire topology.

The scion local web interface should send an AS id to the coordinator. This needs to validate the AS id to make sure it is not in use already.
In case it's in use, the coordinator could respond with an error and a list of possible available IDs.

Currently a lot of information is leaked through error messages in order to facilitate debugging.
For the "beta release" of SCIONLab this verbosity should be decreased, possibly at the same time adding a "debug" option to the configuration.

There should be a mechanism to update the SCION code and VM configuration for all SCIONLab VMs without requiring interaction by the users.

We currently use Let's Encrypt certificates for Scion Coordination Service.
It's a pre-prod requirement to switch the Go APIs to speak HTTPS instead of HTTP.

Once a core AS accepts the entrance of the newly created account, it needs to sign the certificate uploaded in issue #4
At this point the rest API should also receive information about the core AS:

• Ip address
• Port

To recap, the REST API should allow to:

• Upload the signed certificate.
• Accept an IP address field.
• Accept a port field.

Ideally all this is done in once call.

Currently, scion-coord does not have a mechanism to re-send the verification email.
As discussed with @chaehni and David Hausheer, in case a user loses the verification email before he activates his account or the email delivery fails, it would be useful for the user to be able to re-request the verification email.

When a new account wants to join scion test-bed network, then the other nodes need to be notified.
Create a simple API which returns some information about this.
TODO: discuss what kind of information the coordinator needs to return.

• Certificate is definitely one of them.

Once the core as has uploaded successfully the certificate and the ip address and port, then these info needs to be passed to the new account.
Create an API entry point for downloading this information.

As discussed with @perrig, downloaded VM configurations should contain SCION AS Visualization tool, so that the users can view the topology of the network.

This feature also requires the following configurations packaged into the VMs:

• Relevant sciond configuration.
• Relevant endhost configuration.

Handling of the registration and login works fine with angular, however, once the user logs out the XSRF token needs to be regenerated. This seems to cause several issues.
One solution would be to refresh the login page, after a user logged out, however I think it's a better idea to move the whole logic on the server side and keep the angular application only for the administration part. (after logging in)

Once the AS id is agreed between the coordinator and the newly created account, then the scion local web interface needs to upload the certificate to the coordinator.

• Create an API entry point for the upload of the certificate.
• Simple validation of the certificate by checking that the AS id is present and correspond to the agreed one.

Scion Coordination Service code-base needs CircleCI integration.

We should update the SCION code (https://github.com/netsec-ethz/scion/tree/scionlab) running in the infrastructure and SCIONLab ASes, in particular updating to go 1.9.

Each AS/Core sends fragment of the network topology.
Re-assemble them together to display the full topology.
Possible ways to display it, I can think of right now:

• A tree
• A world map

There should be one central script that handles the majority of the SCION setup for different platforms.
This script could then be called from the Vagrantfile, downloaded and executed by the user for a native setup, and be included in the Raspberry Pi and Odroid images.

The topology figure on the front page of the SCIONLab Coordination Service should be automatically updated in regular intervals.
In addition, it should contain names/labels for ISDs and ASes.

Scion coordination service needs to implement API(s) and necessary front-end to show a list of the available ASes.

SCION coordination service currently provides unit tests for the database layer.
We need tests for the API layer.

At the moment, the users of SCIONLab are connected to a fixed SCIONLab AS (1-7 in this case). As discussed with David Hausheer and @jonghoonkwon, the number of allowed SCIONLab ASes should be increased and the users should be able to choose which SCIONLab AS they want to connect to.

(short/mid-term) As discussed with @hausheer, one way to make SCIONLab more engaging for the users is to integrate/configure SIG into the SCIONLab VMs. This way the users will be able to send actual traffic through SCIONLab.

Each installation should report to the coordinator the status of the services.
The status should be:

• healthy
• down
• degraded

This function should receive a list of neighbors from the SCION box. The function then updates the Database, generates the gen folder and sends the gen folder to the SCION box.
The ASes the box connects to, will be querying the Database similar to how the SCIONlabserver queries the database and also update their configuration accordingly.

As discussed with @hausheer, @perrig and @mlegner, one way to provide SCIONLab for NATted cases with changing IP addresses (such as home users) would be to use an OpenVPN-based approach.
In such scenarios, designated SCIONLab ASes would run an instance of OpenVPN server. Each newly created SCIONLab VM (which would connect to such SCIONLabASes) would be generated with configuration to run an OpenVPN client.